I signed up for a gotroot subscription and tried the rules as suggested for a cpanel installation, i.e. a relatively light rule set.

While most rules parsed ok, performance on the server was significantly degraded, a normal dynamic page that delivered in 300 milliseconds would take 20 seconds to load. It looks like the mod security implementation needs to be optimized or precompiled in some way, or an apache reverse proxy run in front of litespeed.

This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.

This is becoming a problem and as far as I can see it's just being overlooked. I've got a fair amount of licenses but am tempted to just go back to Apache as basic security features don't appear to get the development time they deserve.

Click to expand...

Same here. We see more and more hack attempts every day, and we need full mod_security support. I am a bit upset that we weren't told from the start that LiteSpeed's mod_security support is very incomplete. And now, even with Atomicorp doing all they can to help LiteSpeed implement it, it apparently still isn't there.

In today's climate, we need full support for mod_security. LiteSpeed may brag about their security features, but those features are ineffective if other threats are getting through because of the incomplete mod_security support.

LiteSpeed is very expensive considering the open source alternatives available. And LiteSpeed's support leaves a lot to be desired. For example, almost every other software company offers ticket-based or e-mail support. But with LiteSpeed, we must rely on forum-based support. And the answers in the forum are often cryptic and hard to follow. It is often hard to find the answers needed to properly configure and maintain LiteSpeed. So, on top of these issues, the security concerns are becoming a deal-breaker.

LiteSpeed, you will probably lose a lot of clients over this issue (including us) if you don't add real mod_security support ASAP.

LiteSpeed has a proprietary closed implementation of mod_security, the WAF module we use in Apache. The LiteSpeed modsecurity implementation is not complete, does not support the full rule language, and is not fully compatible with modern mod_security rules. We recommend you contact Litespeed to confirm what they may or may not support in the modsecurity rule language.

The Litespeed modsecurity implementation is not the same or a "drop in" replacement for the real modsecurity module. It is also not fully compatible with modsecurity rules nor is the litespeed implementation complete. Therefore, all modern modsecurity rules will not work correctly or completely Litespeed. In some cases, they may not load, or if they load they may not even work as expected. We have provided Litespeed with our rules and free ASL licenses, and eagerly await the day when they will actually support modsecurity. As of August 2011, the LiteSpeed implementation is still reported to be incomplete. You can read more about this on the Litespeed forums:

As a result of this, Litespeed currently only supports 1.9.x features and a subset of 2.0 features. Our rules are built for modsecurity 2.6.1. 1.9.x was obsolete many years ago (and we retired the 1.9.x rules as a result many years ago). The current version of the modsecurity rule language is 2.6.x, which we fully support. Litespeed is working on some 2.6.x compatibility, but it is still not complete and it appears they do not intend to fully support the language. We encourage you to encourage LiteSpeed in their efforts to support the full mod_security rule language.

Click to expand...

If this is true, even if you "support 2.5 rules," that does not mean that your implementation of mod_security is complete. Please clarify this further.

BTW, I am not trying to be negative. I just need to make sure we are fully protected. Atomicorp seems to be a reliable company, so I trust their facts. However, if I have the facts wrong, please enlighten me.

Atomicorp still tells me that LiteSpeed does not fully support mod_security. Can LiteSpeed please supply complete details?

We are about to deploy additional servers, but we can't put LiteSpeed on them (or continue using it on our existing servers) if LiteSpeed cannot even tell us how much of mod_security is actually supported...and what functionality is missing.

Atomicorp is a respected expert on security, so if they say there is a problem, I believe it.

LiteSpeed, please provide a complete, honest, comprehensive answer about your mod_security support (what's included, what's missing, etc.). (This is my other complaint about LiteSpeed, that complete information is often hard to get...answers are often incomplete or vague.) LiteSpeed, please answer the mod_security issue completely.